A lot of articles have been written contemplating about the obligation to appoint a data protection officer since the EU General Data Protection Regulation was approved in 2016. But in daily practice, there are still a lot of misunderstandings related to the role of DPO.
The tasks the GDPR is referring to in Article 39 can be divided into three main categories:
Cooperation with data protection supervisory authority and other stakeholders
The DPO should be the main contact point for the data protection authority. In practice, it would mean that the DPO should be managing and leading the communication with the DPA, including the consultation in case of high risk found in the data protection impact assessment. As data subjects should have the possibility to contact the DPO in issues related to the processing of their personal data, the DPO should also act as a contact point and have a chance to react to such claims from data subjects.
Advisory activities
The data controller or processor who has appointed the DPO is responsible for the DPO's proper involvement in the relevant business activities. In other words, the organization shall not only nominate the DPO, but also setup and describe the internal processes and obligations of the business partners to consult the DPO and ask for advice when necessary (when designing new data processing, re-using of personal data for further processes, extending the scope of data, etcetera).
Monitoring compliance with the data protection framework and internal regulations
The DPO should systematically control how the GDPR requirements and relevant internal regulations are managed by the organization, document the findings and observations, deliver recommendations on how to fix discovered gaps and monitor their implementation.
One condition to ensure that DPO is able to carry out these tasks is the professional qualification. The GDPR does not explicitly require that the DPO must be a lawyer, but this person should have at least a basic overview of the legal framework related to data protection (sector-specific laws, employment law, etcetera) and its interpretation delivered by relevant supervisory authorities and judicature of European and domestic courts. Practical knowledge about sector-specific data-processing practices is the other important aspect of a qualified DPO.
Other conditions for the DPO to be able to fulfill the tasks properly are associated with its independent role.
Position of DPO and conditions for performing the function
One of the crucial aspects of the DPO role is their independency. Generally speaking, it is not possible to be responsible for a specific process, including data processing and for the setup of the data-processing conditions and to check their compliance with legal and regulatory requirements at the same time.
Aspects of the DPO’s proper position within the organization, including their independence, can be categorized into several specific conditions that ought to be fulfilled in order to maintain compliance with GDPR requirements.
- Functional: The DPO should be able to perform their tasks in an independent manner, meaning that they should neither receive any instructions about results of their activities nor ask for such instruction.
- Organizational: The DPO should have the possibility to directly report to the highest management level of the controller or the processor in the data protection topics.
- Prevention of conflict of interest: The DPO should not be in the position that they are responsible both for the data protection/data security and for the monitoring of compliance with the GDPR.
- Resources: The DPO shall have adequate material and personal resources to fulfill their tasks. This condition should be applied and assessed in a flexible way, regarding the specifics of the data controller/processor, the nature and scope of the data processing, the number of employees and data subjects, etcetera. A DPO in a big organization, processing sensitive personal data in a big scope as a part of its core business, should have different resources (staff, time capacity, training budget) than a DPO providing services, for example, to a minor- or medium-size city council.
- Involvement: The DPO should be involved in a timely manner in all activities related to data protection. The DPO should be consulted not only in the phase of new data processing, but also when changing the internal policies will have an impact on data processing, preparing significant changes of the IT environment and other tools for data processing and deciding on important vendor relationships.
- Access: The DPO should have access to all information related to data processing operations carried out by the organization. Without access to the information — about the data processing settings, security measures, about the contractual relations with cooperating data controllers or processors — the DPO would not be able to monitor the compliance.
- Maintaining expert knowledge: The data processor/controller is not only responsible for appointing a qualified DPO but also for setting the conditions for the DPO to maintain its expert knowledge (budget for members' fees in the professional organizations, external trainings, professional literature, etcetera).
All of the listed aspects should also apply to the members of DPO's team if there are any.
It is the data controller/processor's obligation to ensure that all the above-mentioned aspects of the DPO's proper work will be implement and documented in the practice. Best practice on how to achieve it is to reflect those conditions in the relevant internal policy or policies with at least the high-level process description and the responsibility for each condition assignment.
DPO as a part of second line of defense
To better understand the issue of independence, the governance concept that distinguishes so-called first, second and third lines of defense used in some industries, like the financial sector, may be helpful. The job of the first line is to be responsible for day-to-day data-processing operations. In terms of data protection, it should be to implement and effectively run GDPR requirements into operational activities. This is usually done via operations, business, IT, etcetera. The role of the second line is to oversee and monitor whether the first line is doing its job properly, mostly on the basis of controls. Compliance or risk departments are typical representatives of the second line.
Considering the main tasks consisting of advisory activities and compliance oversight, positioning DPO to the second line of defense is a good practice. Positioning or even viewing the DPO as responsible for first-line operational activities or even as the person responsible for the organization's compliance with the GDPR would cause an issue, especially in performing the independent monitoring of compliance.
We can use an example of dealing with data subject requests, which is one of the most common misconceptions about the role. The GDPR states: “Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this regulation.” Based on this, it is often wrongly assumed that the DPO should be actually responding to data subject requests. Nevertheless, there is a difference between being a contact point and handling the requests as part of a day-to-day agenda. Putting aside the question of workload, such interpretation would simply mean that DPO is controlling him or herself, which contradicts the DPO's independent mission.
Key takeaways
- The accountability for implementing and demonstrating compliance with GDPR obligations lies on data controllers (and/or to some extent on data processors).
- The controller shall demonstrate compliance with the GDPR by documenting related processes (policies and procedures) and keeping an audit trail about who is responsible — and how and when — for fulfilling the obligations (e.g., the managers, HR department, IT security, marketing unit, etcetera).
- The DPO should have the means and access in order to review the procedures and escalate possible issues to the highest level of the controller’s management in a proper and independent manner, and their position should be clearly described in the internal documentation.
Photo by Balaji Malliswamy on Unsplash